Lily Hay Newman Security Jun 10, 2026 4:55 PM CISA Tells US Agencies to Fix Security Bugs in as Little as 3 Days Thanks to AI Threats “Defenders cannot afford to take weeks to patch,” one Cybersecurity and Infrastructure Security Agency official warned on Wednesday. CISA acting director Nicholas Andersen Photograph: Andrew Harnik/Getty Images Save this story Save this story With new generations of AI models fueling both rapid software vulnerability discovery and the potential for faster exploitation by malicious hackers, the United States Cybersecurity and Infrastructure Security Agency released a new directive on Wednesday that requires more rapid and efficient software patching by federal civilian agencies. The “binding operational directive” (BOD) lays out a rubric for how quickly bugs must be fixed based on four assessments of urgency, with a turnaround time in critical cases of just three days. Chris Butera, CISA's acting executive assistant director for cybersecurity, told reporters on Wednesday that the goal of the directive is to help agencies prioritize, so they can address the most problematic vulnerabilities first while taking more time to remediate bugs that pose a less-pressing risk. The directive comes as private companies and governments have been scrambling to assess the extent of the cybersecurity reckoning that AI vulnerability and exploit development capabilities could unleash. “Prioritizing IT and security operations attention on the most at-risk assets is particularly important now given advancements in artificial intelligence, which allow threat actors to find and exploit vulnerabilities in [federal] assets,” Butera said on Wednesday. “Defenders cannot afford to take weeks to patch systems that can be autonomously exploited en masse.” The CISA directive's criteria for evaluating patch urgency includes looking at whether a vulnerability is in a system that is publicly exposed, whether the bug is listed in CISA's Known Exploited Vulnerabilities Catalog , whether an attacker could automate all of the steps to exploit the vulnerability, and how much access an attacker would get to the target if the bug were exploited. A vulnerability where all four points apply must be fixed within three days, according to the new directive, and the agency must also execute a “ forensic triage ” process to determine whether systems have already been compromised. The directive supersedes two previous CISA orders related to patching timelines for urgent vulnerabilities—one from 2019 and one from 2021 . Those established a framework in which the most critical bugs had to be patched within 15 days of detection and another class of high-urgency vulnerability had to be remediated within 30 days. And both encouraged faster patching for severe flaws when possible. Even before the AI era, in 2021, CISA wrote that “threat actors are extremely fast to exploit their vulnerabilities of choice: of those 4% of known exploited [vulnerabilities], 42% are being used on day 0 of disclosure; 50% within 2 days; and 75% within 28 days.” US federal cybersecurity has improved significantly over the past decade, but it still often lags, thanks to funding shortfalls and competing priorities. CISA's Butera said that the agency developed the new assessment rubric and the directive more broadly with these limitations in mind. He noted, for example, that the three-day deadline for the most urgent vulnerabilities isn't, say, 24 hours, because such a short timeframe would not be feasible for most agencies. New AI capabilities are already changing the landscape of vulnerability detection and bug hunting. And as this spurs new urgency in patching, many researchers have started to conclude, essentially, that no amount of patching will be enough—and that the software development community globally must work to adopt new, architectural or systemic approaches to invalidating whole classes of vulnerabilities at a time. “CISA's directive has its heart in the right place, but it only tackles half the challenge,” says Emily Long, CEO of the cloud security firm Edera. “If your architecture doesn't limit what an attacker can reach after a breach, you're just running faster on the same treadmill. Patching will always be important, but we should be talking more about containment by design.” CISA's Butera seemed to acknowledge this evolution on Wednesday. The new directive “is an initial step to counter the increased capabilities of emerging AI models,” he says. “Yet there is still more work to do.” Comments Back to top You Might Also Like In your inbox: The week’s biggest tech news in perspective The Pentagon did almost nothing to stop enemies from tracking US troops’ phones Big Story: Can normies really vibe code? A hacker group is poisoning open source code at an unprecedented scale Livestream replay: How AI is transforming work Lily Hay Newman is a senior writer at WIRED focused on information security, digital privacy, and hacking. She previously worked as a technology reporter at Slate, and was the staff writer for Future Tense, a publication and partnership between Slate, the New America Foundation, and Arizona State University. Her work ... Read More Senior Writer Topics cybersecurity hacking security vulnerabilities malware hacks national security Infrastructure critical infrastructure Department of Homeland Security Read More Top T-Mobile Business Internet Promo Codes and Phone Deals Discover how to save on T-Mobile Business Internet and phone plans, from sign-up perks and switching rewards to bundled offers and free lines. Molly Higgins Altra Running Promo Codes and Deals June 2026 Score big savings on Altra Running shoes with up to 50% off sale styles, 20% off select models, 10% off your first order when you sign up, plus free standard delivery on every purchase. Adrienne So Top Columbia Promo Codes: 15% Off for June 2026 Explore current Columbia deals on jackets, outdoor gear, and apparel. Find active Columbia promo codes, student discounts, and free shipping offers to save on your next adventure. Boutayna Chokrane B&H Photo Promo Codes and Deals This June Enjoy top deals on cameras, computers, and tech essentials at B&H Photo. Scott Gilbertson Top Sephora Promo Codes: 20% Off for June Earn more points on skincare purchases when you use our Sephora coupon. Louryn Strampe Top Hoka Coupon Codes: 30% Off in June 2026 Unlock free expedited shipping or 10% off with today’s Hoka discount codes, plus save up to 30% with the best discounts for June 2026. Adrienne So Get 20% Off With a Brooks Promo Code for June 2026 Enjoy 20% off your first order with a Brooks coupon code, plus top discounts and deals on our favorite Brooks running shoes. Adrienne So Top LG Promo Codes and Coupons for June 2026 Save 20% with an LG promo code today, plus up to $1,000 off appliances, 40% off bestselling TVs and monitors. Ryan Waniata Top Paramount+ Coupon Codes and Deals for June 2026 Save on streaming with the latest Paramount+ promo codes and deals, including 50% off subscriptions, free trials, and more. Molly Higgins Top Canon Promo Codes: 30% Off for June 2026 Save an extra 10% or 30% with Canon coupon codes, plus up to $1,600 on cameras, printers, and more this June. Scott Gilbertson Top Herman Miller Promo Codes: Save Up to 40% Off Whether you’re looking for a Herman Miller promo code or discounts in their sale, here is how to save on the world's best ergonomic office furniture this month. Nena Farrell Apple’s Camera Chief Thinks AI Can Give You Superpowers The generative features in iOS 27’s new Photos app will add fake pixels to some of your shots, but Apple’s Jon McCormack says the company isn’t using AI “for the sake of AI.” Julian Chokkattu